Re: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)

To: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>
Subject: Re: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
From: "Tom Scavo" <trscavo@gmail.com>
Date: Thu, 12 Apr 2007 10:40:02 -0400
Cc: myproxy-users@ncsa.uiuc.edu
Content-disposition: inline
Content-transfer-encoding: 7bit
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ewY3RLwuCdGQQqnigtDM2+5XS/UZ4SNdnV+ZyLm3YBKOnF2/TpOmNJ8ezmYe7Y524n1MnrAX1Q53omR0doDs+9io/IMryZJ8IHocnFWKG1GtFLV3dISm7H8orHJXBNJT3Ds2OF1MP7+uNenB9QiP+Yo/8emzi47+guz9u/KVQrs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Z798gHurh34wh9x9jICgjYO0wg0YRLACbOHAbKWf4Cmq6qRuZZjVxBbulcKWo2IucbzYVR5ULryQcbWWtJOrmOVQdh7CL89SoUwTVhyvb8834kIXIJbOy7RaLjB67jAuIbdac0SzN7GEkQ8ewPYl6bW/XMgSG3GLQAidFTyfAZA=
In-reply-to: <A1D78FBB8CE9CC4A9A12DEE15DD8D189EB1995@laccadive.disanet.disa-u.mil>
References: <A1D78FBB8CE9CC4A9A12DEE15DD8D189EB1995@laccadive.disanet.disa-u.mil>
Sender: owner-myproxy-users@ncsa.uiuc.edu

On 4/12/07, Friedrichs, Paul D CTR DISA PEO-IAN
<Paul.Friedrichs.ctr@disa.mil> wrote:


So it seems there would be value in having a schema for specifying
business functions in proxy credentials so relying parties would be able
to understand the restriction. The functions would likely be
domain-specific, but the concept and the syntax might be standardized.
Has there been any thought about how this might be done?


Yes, Paul, I have some thoughts about this, but I'm not a MyProxy
developer, so it may be orthogonal to planned or implemented
functionality.

One approach is to embed SAML assertions containing authorization
decision statements in a non-critical certificate extension.  In
another project, we are using this technique to push authentication
statements and attribute statements to relying parties, but I think
authorization decision statements could be used in a similar way to
limit the privileges associated with proxy certificates.

Tom Scavo
NCSA

Follow-Ups:
- RE: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
  - From: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>

References:
- Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
  - From: "Friedrichs, Paul D CTR DISA PEO-IAN" <Paul.Friedrichs.ctr@disa.mil>

Prev by Date: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
Next by Date: Re: Something Stronger than a Passphrase? (UNCLASSIFIED)
Previous by thread: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)
Next by thread: RE: Least Privilege & Special Powers of Attorney (UNCLASSIFIED)

Other Mailing lists | Author Index | Date Index | Subject Index | Thread Index